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Abstract 

This paper studies the relationships between the traditional DifBe-Hellman key agreement 
protocol and the identity-based (ID-based) key agreement protocol from pairings. 

For the Sakai-Ohgishi-Kasahara (SOK) ID-based key construction, we show that identical to 
the Diffie-Hellman protocol, the SOK key agreement protocol also has three variants, namely 
ephemeral, semi-static and static versions. Upon this, we build solid relations between authenti- 
cated Diffie-Hellman (Auth-DH) protocols and ID-based authenticated key agreement (IB-AK) 
protocols, whereby we present two substitution rules for this two types of protocols. The rules 
enable a conversion between the two types of protocols. In particular, we obtain the real ID-based 
version of the well-known MQV (and HMQV) protocol. 

Similarly, for the Sakai-Kasahara (SK) key construction, we show that the key transport 
protocol underlining the SK ID-based encryption scheme (which we call the "SK protocol" ) has 
its non-ID counterpart, namely the Hughes protocol. Based on this observation, we establish 
relations between corresponding ID-based and non-ID-based protocols. In particular, we propose 
a highly enhanced version of the McCuUagh-Barreto protocol. 

Key words. Authenticated Diffie-Hellman, SOK protocol, ID-based key agreement, ID-MQV, 
eMB 

1 Introduction 

In 2005, Boyd and Choo ^Tj and Wang et al. ^35j noticed that there are some similarities between 
(pairing-based) ID-based and non-ID-based authenticated key agreement (AK) protocols. This study 
further investigate this observation. Interestingly, we discover much more than those researchers 
previously might imagined. 

1.1 Proposed Novel Protocols 

We discover some important substitution rules (see Table [31 HI between the two different types of 
protocols. The rules enable a useful conversion between the authenticated version of the two types 
of protocols. By applying these rules, we present three novel protocols (namely, the protocols which 
are highlighted in bold in Table [1] and ^ which possesses remarkable performance and security. 

1. The real ID-based version of the MQV (and, HMQV) protocol — ID-MQV. (See Fig. [H) 

2. The enhanced MB (McCuUagh-Barreto) ID-based protocol — eMB. (See Fig. [HI) 

3. The non-ID-based version of the SYL protocol — nID-SYL (See Appendix[3 Fig. [TSD. 

* First version, January 2008; This version (July 2009) is a minor revison. 

t (Email: shengbaowang@gmail.com) The author is currently with New Star Institute of Applied Technology, China 



Table 1: Corresponding Protocols (non-ID-Based vs. ID-Based) 



Protocol Type 


Prot. Message 


Auth. DH Protocols <i?^ ID-Based Protocols 


AO 

Enhanced AO 


Ta = xP 


MTI/AO ^ Smart [31] 
(H)MQV ^ ID-MQV (See Fig. [HD 


Al 

Enhanced Al 


Ta — xQa 


MTI/Al ^ Chen-Kudla [11] 
(H)MQV-l ^ Wang [33], Chow-Choo [10] 


CO 

Enhanced CO 
BO 


Ta = xQb 


MTI/CO ^ MB-1 [20] 
ECKE-IN [37] ^ eMB (See Fig. (HI) 
MTI/BO ^ MB-2 [21] 


CI 

Enhanced CI 


Ta = xFab 


MTI/Cl ^ Scott [26] 
Enhanced MTI/Cl (See Fig. [19]) ^ Open Problem! 



Table 2: Corresponding Protocols (Broken and Repaired Ones) 



Protocol Type 


Protocol Message 


Auth. DH Protocols 




ID-Based Protocols 


AO Variant- 1 


Ta^xP 


Reduced MQV 




Shim [28] 


Repaired Protocol 




nID-SYL (See Fig. [H]) 




SYL [10] 


CO Variant- 1 


Ta = xQb 


K = (x + y + xy)P 




xie [sg 


Repaired Protocol 




K= {x + y)P\\xyP 




LYL [H] 



2 Preliminaries 
2.1 Bilinear Pairings 

Let Gi denotes an additive group of prime order q and G2 a multiplicative group of the same order. 
We let P denote a generator of Gi. For us, an admissible pairing is a map e : Gi x Gi ^ G2 with 
the following properties: 

1. The map e is bilinear: given Q, i? £ Gi and a, e Z*, we have e{aQ, hR) — e{Q, i?)"**. 

2. The map e is non-degenerate: e{P,P) ^ 1^3. 

3. The map e is efficiently computable. 

Typically, the map e will be derived from either the Weil or Tate pairing on an elliptic curve over 
a finite field. 

3 Three Versions of the SOK Protocol and the Substitution 
Rules 

We first focus on the SOK ID-based key setting [35]. We show that the static SOK protocol from 
[52] has two more variants, i.e., the semi-static and ephemeral SOK protocols. 
Note that the figures given in the rest of the paper are all self-explaining. 
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3.1 Static DH and the SOK-NIKD Protocols 



As observed by Boyd, Mao and Paterson [3] and Ryu et al. |25| . the two non-interactively shared static 
secret from the Difhe-Hellman protocol [T^] and the SOK non-interactive ID-based key distribution 
(SOK-NIKD) protocol [35] are Fjjh — abP and Fsok — &{Qa,QbYi respectively. 



Alice 


Bob 


long-term private/public key pair: 


long-term private/public key pair: 


(a, = aP) 


{b,QB=hP) 




cert A 




<■-- certs 


Fdh = aQe = ahP 


Fdh - bQA - abP 



Figure 1: The Static DH Protocol [H] 



Alice 


Bob 


long-term private/public key pair: 


long-term private/public key pair: 


{Sa^sQaMa^H{IDa)) 


{Sb = sQb,Qb^H{IDb)) 




IDa 




^- IDb 


Fsok = e(SA, Qb) = e(gA, QbY 


Fsok = e(SB, Qa) = e{QA, QbY 



Figure 2: The SOK-NIKD Protocol [32] — Static SOK 



Important observation #1: uQb — > e{SA,QB)- 

3.2 Semi-Static and Ephemeral SOK Protocols 
3.2.1 The Semi-Static SOK Protocol 

It is well-known that the ElGamal encryption scheme [T3] is derived from the semi-static (or half- 
static, half-ephemeral) Diffie-Hellman protocol [2^. Based on this seemingly obvious relation, we 
find that the Boneh- Franklin ID-based encryption (IBE) [31 [57] is derived from the semi-static SOK 
protocol (presented in Fig. [3]). Note that Paterson and Srinivasan [23] also, independently, noticed 
the relation. However, they do not give the term "semi-static SOK protocol" explicitly (let alone 
the ephemeral SOK) and only uses the static SOK protocol, i.e. the SOK-NIKD protocol. We 
stress that the explicit classification of the SOK protocol, corresponding to the three version of the 
Diffie-Hellman protocol, is essential for the main result of this paper. 

In the rest of the paper, Pq stands for the public key of the private key generator (PKG), with 
Pq — sP and s being the master private key of the PKG. 
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Alice 


Bob 




long-term private/public key pair: 


(Alice has no static keys.) 


{SB = sQB,QB = HiIDB)) 


X £r Z* 




Ta = xP 






Ta 

> 




^- IDb 


FssOK = e(Po, xQb) 


FssoK = 6(5*3, Ta) 


Figure 3: 


The Semi-Static SOK Protocol 



3.2.2 The Ephemeral SOK Protocol 

The protocol is presented in Fig. [D 



Alice 




Bob 


(Alice has no static keys.) 




(Bob has no static keys either.) 


X Gfl Z* 
Ta = xP 


Ta 


TB = yP 


Tb 


FeSOK = e{Po,xTB) = e(Po,P)"^ 




FeSOK = e{Po,xTA) = e{Po,Pry 



Figure 4: Ephemeral SOK Protocol 



3.3 The UM and the RYY Protocols 

The RYY protocol [25 is build upon the UM protocol [U 115^1 . The two session secrets of the two 
protocols are K = FdhIIxi/P and K — FsoK\\xyP, respectively. A common weakness of them is 
that they do not possess K-CI resilience [3 135] . 

^ Later, however, we will see that in the exact ID-based version of the UM protocol, xyP should be replaced by 
e{xsP,yp). This creates an escrowable RYY protocol. 
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Alice 

long-term private/public key pair: 

{a,QA = aP) 




Bob 

long-term private/public key pair: 
(6, Qb = bP) 


X e_R Z* 
Ta = xP 


Ta 


y z* 
TB = yP 

-> 




Tb 




Fdh = aQe = abP 

k — xTb — xyP 
sk^H2{A\\B\\FDH\\k) 




Fdh = bQA = abP 
k = yTA = xyP 
sk ^ H2{A\\B\\FDH\\k) 


Figure 5: 


The UM Protocol [l] 


Alice 

long-term private/public key pair: 
{Sa = sQaMa^H{IDa)) 




Bob 

long-term private/public key pair: 

{SB^sQB,QB^HiIDB)) 


X Z* 
Ta = xP 


Ta 


y^R z* 
TB^yP 

-> 




Tb 

< 




FsoK = e(SA, Qb) = eiQA, QbY 
k = xTb = xyP 
sk ^ H2{A\\B\\FsoK\\k) 




FsoK - e(SB, Qa) = e{QA, QbY 
k = yTA = xyP 
sk = H2{A\\B\\FsoK\\k) 



Figure 6: The RYY Protocol ^ 



3.4 The MTI/AO and the Smart Protocols 

For those who are unfamiliar with the MTI protocol family, we refer to [22l [9l [8] . The same design 
idea that produces the MTI/AO and the Smart protocols was previously noticed, e.g. in [36], the 
authors used the term "Encrypt -Decrypt method". Concretely, the MTI/AO protocol is based on 
the standard ElGamal encryption, while Smart's protocol [3T] is based on the Boneh-Franklin IBE 
[3]. However, the relations between the computation of the two session secrets (c.f. the following 
observation No. 2) has not yet been identified before. The two session secrets of the two protocols 
are K = gTb + xQb and K — e{SA,TB)e{sP,xQB), respectively. A common weakness of the two 
protocol is that they do not have perfect forward secrecy (PES). 
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Alice 

long-term private/public key pair: 
{a,QA aP) 




Bob 

long-term private/public key pair: 
(6, Qb = bP) 


X e_R Z* 
Ta = xP 


Ta 


y z* 
TB = yP 


Tb 


K^aTB+ xQb = {ay + bx)P 
sk = H2{A\\B\\K) 




K^bTA + vQa = {ay + bx)P 
sk = H2{A\\B\\K) 


Figure 7: The MTI/AO Protocol ^23] 


Alice 

long-term private/public key pair: 

{SA^sQA,QA = HiIDA)) 




Bob 

long-term private/public key pair: 
{Sb=sQb.Qb = H{IDb)) 


X e_R z* 

Ta^xP 


Ta 


y^R 
TB^yP 


Tb 


if-e(5A,TB)e(sP,xQB) 
sk = H2iA\\B\\K) 




K = e{SB,TA)e{sP,yQA) 
sk = H2{A\\B\\K) 



Figure 8: The Smart Protocol [21] 



From our first observation, oTs should be changed to 6(5"^, Tb)- Here we further notice that xQb 
is changed to e{sP, xQb), with the help of the master public-key Pq {Pq = sP) H. Therefore, we get 
our second observation. Here Qi {i = {1, 2}) are any publicly computable elements in group Gi, such 
as Qa + Qb, Qa + Tb , with Qa , Q b being public keys and Tb being the protocol message sent out 
by Bob. 

Important observation #2: aQi + xQ2 — > e{SA,Qi)e{Po,xQ2). 

We summarize the above two observations with the following two substitution rules in Table [H 

^In 1 341 . it was shown that under the SOK key setting, IBE also exists if the master public-key of the PKG is set 
to be Pq = s~^P. We stress that this is also true with ID-based key agreement protocols, namely setting Pq = s~^P 
will not affect the correctness and security of the AO type ID-based protocols (e.g.. Smart's, the SYL and our proposed 
ID-MQV), all that needed is to replace the protocol message = xP with T4 = xPq, and then adjust the computation 
of the session secrets accordingly. 
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Table 3: Substitution Rules for the SOK Key Construction 





Auth. DH 


ID-Based Protocols 




Static Private-key: a 


Static Private-key: Sa = sQa 


Notations 


Static Public-key: Qa — aP 


Static Pubhc-key: Qa = H{IDa) 




Ephemeral Private-key: x 


Ephemeral Private-key: x 




Publicly-computable group element: 


Publicly-computable group element: 




Q, Qii Q2 


Qi Qi; Q2 


Two Rules 


Rule 1. K = aQ 


^ K = e{SA,Q) 




Rule 2. K ^ aQi + XQ2 


^ K ^eiSA,Qi)eiPo,xQ2) 



4 Relations between Pairs of Existing Protocols 

Applying the above two important substitution rules, we discover some unpublished relations between 
some pairs of existing protocols. 

4.1 The MTI/Al and the Chen-Kudla Protocols 

The Chen-Kudla protocol [11] can be obtained by directly applying the above two substitution rules. 
In MTI/Al, the session secret is K = aTg + axQs- Therefore in its ID-based counterpart, the 
session secret is K ~ e{SA, TB)e{SA, xQb) — e{SAi Tb + xQb)- This is exactly the Chen-Kudla [TT] 
protocol! 



Alice 

long-term private/public key pair: 
(a, Qa = aP) 




Bob 

long-term private/public key pair: 
(&, Qb = bP) 


X e_R z* 
Ta = xQa 


Ta 


V Gi? Z; 
Tb = vQb 


Tb 


K = aTB + axQB = a(TB + xQb) 
sk = H2{A\\B\\K) 




K^bTA + byQA = b{TA + vQa) 
sk^H2{A\\B\\K) 



Figure 9: The MTI/Al Protocol [23] 
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Alice 

long-term private/public key pair: 
{Sa = sQa.Qa^H{IDa)) 




Bob 

long-term private/public key pair: 
{Sb^sQb.Qb = H{IDb)) 


X e_R z* 
Ta = xQa 


Ta 


y z* 

Tb = yQs 


Tb 


if = e(SA,TB+xQB) 

sk = H2{A\\B\\Ta\\Tb\\K) 




K = e{SB,TA + yQA) 
sk ^ H2{A\\B\\Ta\\Tb\\K) 



Figure 10: The Chen-Kudla Protocol [TT] 



4.2 The MQV-1 and Wang's Protocols 

Wang's protocol [33] can be obtained from the so-called MQV-1 protocol by directly applying the 
above two rules. 

We first review the famous MQV [18] protocol. Note that the HMQV protocol [17] is a hashed 
variant of the MQV protocol. 



Alice 

long-term private/public key pair: 
(a, Qa = aP) 




Bob 

long-term private/public key pair: 
(&, Qb - bP) 


X e_R Z* 
Ta^xP 


Ta 


y 

TB = yP 


Tb 


Ha = Hi{Qb,Ta) 

hB=Hi{QA,TB) 

K^{x + ahA){TB + hBQB) 
sk ^ H2{A\\B\\Ta\\Tb\\K) 




h-B = Hi{Qa,Tb) 

hA^H^iQB.TA) 

K ^ {y + bhB)iTA + hAQA) 
sk = H2{A\\B\\Ta\\Tb\\K) 



Figure 11: The (H)MQV Protocol [HI [17] 



The MQV-1 protocol can be obtained by simply changing the protocol message Ta = xP to be 
Ta ~ xQa, and then adjust the protocol accordingly. The session secret of the MQV-1 protocol 
is K — {x + hA)a{TB + hBQB)- Therefore in its ID-based counterpart, the session secret is if = 
e{{x + hA)SA,TB + hBQB), this is exactly the Chow-Choo protocol [10] — a hashed variant of Wang's 
protocol [33]. 
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5 Obtaining the Real ID-Based MQV Protocol 

5.1 Our ID-MQV Protocol 

The session secret in (H)MQV is as follows: 

K = {x + hAa)(TB + hsQE) = x{Tb + hsQu) + hAa{TB + hBQs)- 
We let Qi =Tb + HeQe and Q2 = hA{TB + hsQa) = /jaQi, then 

K = xQi + a(32, 

Applying Rule #2, we obtain the ID-based version of this protocol — ID-MQV, its session secret K 
is as follows: 

K = e(Po, xQi)e{SA-, Q2) = e{xPo,Qi)e{hASA, Qi) = e{xPa + HaSa, Qi), 
recall that Qi = Tb + HbQb, thus we have 



K = e(xPo + hASA, Tb - 


f flBQB)- 


Alice 

long-term private/public key pair: 
{Sa = sQa,Qa^H{IDa)) 




Bob 

long-term private/public key pair: 

{Sb = sQb,Qb = HilDB)) 


X €r Z* 
Ta = xP 


Ta=xP 
> 


y Gfl 
TB = yP 




Tb=vP 




<- 

hA = Hi{Qb,Ta) 
hB = Hi{QA,TB) 
K = e{xPo + HaSa, IibQb + Tb) 
sk ^ H2{A\\B\\Ta\\Tb\\K) 




Hb = Hi{Qa,Tb) 
hA = Hi{QB,TA) 
K = e{yPo + hBSB,hAQA + Ta) 
sk ^ H2iA\\B\\TA\\TB\\K) 



Figure 12: ID-MQV: ID-Based (H)MQV Protocol 



If we wipe off Ha and Hb, then the above ID-MQV protocol degenerate into the Shim protocol 
[28] which is given in Fig [131 However, the Shim protocols is totally broken by Sun and Hsie [29]. In 
2005, Yuan and Li [40] repaired the Shim protocol using a very simple idea, namely just adding an 
ephemeral Diffie-Hellman value. The improved protocol is called the Shim- Yuan-Li (SYL) protocol 
(see Fig. [TT]) and was proven to be secure by Chen et al. [5 . In Fig. [TS] we present the non-ID-based 
version of the SYL protocol — nID-SYL. 
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Alice 

long-term private/public key pair: 
{Sa = sQa.Qa^H{IDa)) 




Bob 

long-term private/public key pair: 
{Sb =sQb,Qb = H{IDb)) 


X e_R z* 

Ta = xP 


Ta 


y z* 
TB = yP 


Tb 


K = e{xPo + SA,QB+TB) 
sk ^ H2iA\\B\\K) 




K = e{yPo + SB.QA + TA) 
sk = H2{A\\B\\K) 



Figure 13: The Shim Protocol [28] 



5.2 Remarks on the ID-MQV Protocol 



Alice 

long-term private/public key pair: 

{Sa = sQa.Qa^H{IDa)) 




Bob 

long-term private/public key pair: 
{Sb = sQb.Qb = H{IDb)) 


X e_R z* 

Ta^xP 




Ta 


y z* 
TB^yP 




<- 


Tb 




hA = Hi{QB.TA) 
hB=Hi(QA,TB) 
Ki = e{xPo + HaSa, hBQB 
K2 = xTb = xyP 
sk = H2{A\\B\\Ta\\Tb\\K^\ 


+ Tb) 
IK2) 




hB = HiiQA,TB) 

hA^Hi{QB,TA) 
Ki = e{yPo + HbSb, hAQA + Ta) 
K2 = yTA = xyP 
sk ^ H2iA\\B\\TA\\TB\\K,\\K2) 



Figure 14: Escrowless ID-MQV: ID-Based (H)MQV Protocol with PKG-FS 



Our ID-MQV protocol has remarkable superiorities over all the existing ID-based key agreement 
protocols (from pairings). 

1. From the format of the protocol messages, we argue that our ID-MQV is the real ID-based version 
of the famous (H)MQV protocol. As mentioned above, the Chow-Choo and Wang protocols are 
ID-based version of the so-called (H)MQV-l protocols, which have different protocol messages. 

2. Separating perfect forward secrecy (PFS) from PKG forward secrecy (PKG-FS). Note that 
PKG-FS also means escrowless. We argue that in some applications (as also pointed out by 
McCuUagh and Barreto [20j ) key escrow is a requirement or even, a must. However, if we 
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remove Ki = abP from the SYL protocol [ID] to open escrow, then it become totally insecure 
(which is exactly Shim's protocol [Hj), let alone PFS. Our new protocol can be securely used 
in escrowed model (i.e., w/o xyP), providing PFS. When xyP is added, the protocol becomes 
escrowless (and achieves PKG-FS, see Fig. [T?| . In a word, xyP separates clearly PFS from 
PKG-FS, and our new protocol (ID-MQV) can be used with or without escrow. 

3. Compared with Wang's protocol |33j (and the Chow-Choo protocol lOJ), our protocol does not 
need extra message exchange to close escrow, while the latter requires a party to send out an 
extra point. At the same time, brings extra computation for the party. 

4. The new protocol can be further strengthened to achieve stronger security, i.e., to be secure in 
the extended Canetti-Krawczyk (eCK) model which allows ephemeral secret key reveal. (Using 
the same idea from [F, .) 

6 Beyond the SOK ID-Based Key Construction 

Now we look at the SK key setting. For details on the key setting, please refer to f3Q] and [20l I38j. 
Here we note that the master private and public key pair of the PKG is (s, Pq = sP). u is part of a 
user's static public key and for Alice ua — H'{IDa) & Z*. 

We discover that the key transport protocol behind the SK-IBE [BU] is simply the ID-based version 
of the Hughes protocol [16] . This is mainly because the static private key of the receivers in the two 
protocols are both inversion-based. The substitution rules are listed in Table [3J 



Table 4: Substitution Rules for the SK Key Construction 





Auth. DH 




ID-Based Protocols 




Static key pair: 




Static key pair: {Sa = s + ua)^^Qp, 


Notations 


(a, Qa = aP) 




Qa = Po+ uaP = (s + ua)P) 




Ephemeral Private-key: x 




Ephemeral Private-key: x 




Publicly-computable element: Q 




Publicly-computable element: Q 




Rule 1. K = a-^Q 




K = e{SA,Q) 


Two Rules 


Rule 2. K ^ xP, 




K = e{P, Py 



Using the above rules, we can establish the relations between the MB protocols [201 HI] and the 
MTI/CO and MTI/BO [23] protocols (c.f. Tabled]), the details are omitted here. Next, based on 
the enhanced MTI/CO protocol (i.e. the ECKE-IN protocol), we propose a highly efHcient ID-based 
protocol — eMB. 



6.1 Review of the ECKE-IN Protocol 

This protocol was initially designed using the ideas from MQV. It was later included in a Letter 
appeared in IEEE Communications Letters entitled "Cryptanalysis and Improvement of an Elliptic 
Curve Diffie-Hellman Protocol" [37]. (Also available at lACR ePrint, report 2007/026.) The protocol 
is give in Fig. [151 
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Alice 

long-term private/public key pair: 
{a,QA aP) 




Bob 

long-term private/public key pair: 
(6, Qb = bP) 


X e_R Z* 
Ta = xQb 


Ta 


y z* 

Tb = vQa 


Tb 


hA = H,iQB.TA) 
hB=H,{QA,TB) 
K^a-\x + hA){TB+hBQA) 
= {x + hA){y + hB)P 
sk ^ H2{A\\B\\Ta\\Tb\\K) 




hB = H,{QA,TB) 
hA^H,iQB,TA) 

K = h-\y + hB){TA + hAQB) 

= {x + hA){y + hB)P 
sk = H2iA\\B\\TA\\TB\\K) 



Figure 15: The Enhanced MTI/CO Protocol — ECKE-IN 



6.2 The eMB Protocol 

Applying the substitution rules from Table IH we converse our ECKE-IN into an ID-based authen- 
ticated key agreement protocol which is the enhanced version of the McCuUagh-Barreto protocol 
[101 m] — eMB. 



Alice 

long-term private/public key pair: 

{SA = is + UA)-^P , 

Qa = Po + uaP = {s + ua)P) 


Bob 

long-term private/public key pair: 

{Sb = is + UB)-^P, 
Qb=Po + ubP^{s + ub)P) 


X Eb. Z* 
QB = Pa+ ubP = (s + ub)P 
Ta = xQb 


V Z*q 
Qa = Po + uaP = (s 4- ua)P 
Tb = vQa 


Ta 




Tb 


hA^H{QB,TA) 
hB^H{QA,TB) 

K = e{{x + hA)SA,TB + HbQa) 

= e{p, pY^^^^^^y^'^^'' 

sk ^ H2iA\\B\\TA\\TB\\K) 


hB^H{QA,TB) 
hA-^H{QB,TA) 

K = e((y + hB)SB, Ta + HaQb) 
sk = H2{A\\B\\Ta\\Tb\\K) 


Figure 16: The eN 


/IB Protocol 



We remark that the substitution rules in the SK ID-based key setting can also be applied to the 
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SK variants, e.g. Gentry's key setting and the second Boneh-Boyen {BB2) scheme P]. 
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A Obtaining an Authenticated DH Protocol from the SYL 
Protocol 

The two protocols are presented in Fig. [T7land[T8l respectively. 



Alice Bob 

long-term private/public key pair: long-term private/public key pair: 

{Sa = sQa, Qa = H{IDa)) {Sb = sQb, Qb = H{IDb)) 



X Er Z* 
Ta = xP 



y^R Z'q 
TB^yP 



Ta=xP 



TB=yP 
< 



Ki = xTb = xyP Ki = j/Ta = xyP 

K2 = e{xPo + Sa, Qb + Tb) K2 = e{yPo + Sb,Qa + Ta) 

sk = H2{A\\B\\Ta\\Tb\\K^\\K2) sk = H2{A\\B\\Ta\\Tb\\Ki\\K2) 



Figure 17: The SYL Protocol [40] 
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Alice 

long-term private/public key pair: 
(a, Qa = aP) 




Bob 

long-term private/public key pair: 
{b, Qb = bP) 


X Er Z* 
Ta^xP 


Ta=xP 


y <^R z* 
TB = yP 


Tb=VV 


Ki = xTb ~ xyP 
K2 = {x + a){QB+TB) 
= {x + a)iy + b)P 
sk = H2{A\\B\\TA\\TB\\Ki\\K2) 




Ki = uTa = xyP 
K2 = {y + b){QA + TA) 
= {x + a){y + b)P 
sk = H2{A\\B\\TA\\TB\\Ki\\K2) 



Figure 18: nID-SYL: A New Authenticated DifRe-Hellman Protocol 



B Enhanced MTI/Cl Protocol 

This protocol can be easily derived from our enhanced MTI/CO protocol {i.e. the ECKE-IN protocol) 
using the idea from ^23j . 



Alice 

long-term private/public key pair: 
(a, Qa = aP) 




Bob 

long-term private/public key pair: 
(5, Qb = bP) 


X Er Z* 
Ta = xuQb = xFdh 


TA=xabP 


y e_R z* 
Tb = ybQA = yFoH 


TB=yabP 


Ha = Hi{Qb,Ta) 
Hb = Hi{Qa,Tb) 
K ^ {x + a-^hA){TB + HbQa) 
= {ax + hA)iyb + hB)P 
sk ^ H2{A\\B\\Ta\\Tb\\K) 




hB = Hi{Qa,Tb) 

hA=HiiQB,TA) 

K ^ [y + b-^hB){TA + HaQb) 
= {by + hB){xa + hA)P 
sk ^ H2{A\\B\\Ta\\Tb\\K) 



Figure 19: The Enhanced MTI/Cl Protocol 
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